2 min read
A critical supply chain compromise has been disclosed in the npm JavaScript ecosystem, exposing enterprises worldwide to risks of cryptocurrency theft, credential leakage, and unauthorized code execution. The incident, reported on September 8, 2025, was confirmed by Pakistan’s National Cyber Emergency Response Team (NCERT), which has urged organizations to immediately patch all affected packages.
The breach occurred after attackers compromised the credentials of maintainer Josh Junon (alias qix) and uploaded malicious versions of at least 18 widely used npm packages, including debug, chalk, ansi-styles, and strip-ansi. These malicious releases were automatically fetched by developers and CI/CD pipelines, making the attack low-complexity but high-impact.
According to the NCERT advisory, the injected packages carried a browser-based cryptostealer payload designed to intercept cryptocurrency transactions, exfiltrate API keys and credentials, and redirect sensitive data to attacker-controlled servers. With npm packages downloaded over 2 billion times weekly, the compromise is rated critical (CVSS v3.1 score 9.8) and poses severe risks for financial systems, e-commerce platforms, and enterprise applications
The advisory highlights that the malicious packages created outbound connections to attacker controlled crypto wallets and triggered abnormal credential harvesting from application logs clear indicators of compromise. It warns that such attacks could rapidly propagate across downstream systems, leading to systemic supply chain breaches.
Key Attack Details (NCERT Advisory)
| Indicator | Detail |
| Incident date | Sept 8, 2025 |
| Maintainer compromised | Josh Junon (qix) |
| Affected packages | [email protected], [email protected], [email protected], [email protected], and others |
| Payload | Browser-based cryptostealer |
| CVSS Score | 9.8 (Critical) |
| Exploitation | No user interaction beyond installation |
NCERT has strongly advised enterprises to update to the latest fixed versions, rebuild and redeploy affected applications, and rotate all exposed credentials, tokens, and API keys. It further recommends enforcing MFA for maintainer accounts, locking dependencies to verified versions, and monitoring pipelines for anomalies to prevent recurrence. The advisory concluded that immediate remediation is vital to prevent lasting infiltration of enterprise systems.
